Cloudflare names OVH and Hetzner behind DDOS attack


Cloudflare released a report of a massive DDOS attack, citing several well-known cloud hosting data centers as the source of the attack. The attack appeared to follow a trend of attacks increasingly being launched from data centers instead of traditional residential botnets.

The attack has been described as one of the largest ever:

“Earlier this month, Cloudflare systems automatically detected and mitigated a 15.3 million requests per second (rps) DDoS attack, one of the largest HTTPS DDoS attacks on record.


A Distributed Denial of Service (DDoS) attack occurs when thousands of Internet-connected devices make page requests at a rapid rate, which can cause the website server to be unable to service web page requests from a condition known as denial. Services.

DDOS attacks usually come from so-called botnets.


A botnet is a network of internet-connected devices such as routers, IoT devices, computers, websites, and web hosting servers that are infected and brought under the control of hackers.

From residential ISP botnets to cloud-based data centers

The Cloudflare report noted that DDOS attacks are increasingly coming from cloud-based data centers instead of residential ISP botnets. This represents a change in tactics.

According to the Cloudflare DDOS attack report:

“What is interesting is that the attack came mainly from data centers. We are seeing a big shift from residential network Internet Service Providers (ISPs) to cloud computing ISPs.

Major Cloud Data Centers

Cloudflare named several cloud-based data centers as the origin of the attack, two of which are already well known in the publisher community as common sources of spam and unwanted bot visitors.

The two main sources of this DDOS attack, according to data from Cloudflare, were OVH and Hetzner.

Cloudflare offered these details:

“…the attack originated from over 1,300 different networks. Major networks included German provider Hetzner Online GmbH (autonomous system number 24940), Azteca Comunicaciones Colombia (ASN 262186), OVH in France (ASN 16276), as well as other cloud providers.

OVH and Hetzner as sources of spam

In addition to being the source of DDOS attacks, OVH and Hetzner are known to be sources of spam-related attacks.

According to the SaaS spam protection service CleanTalk Dataspambots originating from OVH represent 10.97% of the activity detected from IP addresses associated with OVH.

Spam activity from Hetzner which was detected by CleanTalkout of 213,621 IP addresses detected as a source of traffic, 14,997 (7.02%) of these IP addresses were associated with spam attacks.

While DDOS and spam attacks are two different things, these statistics are cited to show how these two cloud data centers are used for a variety of malicious activities, not just DDOS attacks.

A WebmasterWorld Forum editor recently observed that he was experiencing more bot traffic from OVH than legitimate human traffic from known ISPs.

The WebmasterWorld member written in a forum post:

“Over the past 24 months, the web server logs on a dozen websites I manage have a high percentage of traffic coming from the OVH data center.

This traffic arrives via numerous IP addresses assigned to OVH. Since the volume of traffic is considerably larger than traffic from legitimate ISPs (ATT, Verizon, Charter, Comcast, Shaw, etc.), I have a feeling that OVH’s traffic is due to bots/ scrapers hosted at OVH data center cloud servers.

Traffic from unwanted OVH bots is such a common problem that when an OVH data center in France burned down a A member of WebmasterWorld practically applauded the event by posting:

“Looking on the bright side, our websites will now have less bot traffic.”

The question that may be worth asking is: why is there so much malicious bot traffic from OVH and Hetzner?

It’s not something new either. Complaints from webmasters and publishers about traffic from OVH bots go back a long way.

Here are examples of discussions on WebmasterWorld involving OVH:

The above are forum threads dating back to 2013 where publishers and webmasters complained about OVH’s malicious bot traffic.

In a 2015 WebmasterWorld forum discussion titled Botnet sources, a forum member posted:

“RE: botnets, I’m more concerned about people mistakenly clicking on my advertisers (hosted, third-party, and AdSense.)

However, I’m sure there is significant crossover between the two categories, so these Spamhaus-related articles are a good read, thanks. Little surprise that OVH is leading the pack!”

Given OVH and Hetzner’s long history of rogue bot trafficking, it’s not entirely surprising to see that they are now being cited by Cloudflare as being behind a DDOS attack.

OVH and Hetzner are behind bots and DDOS attacks

It is well documented by spam blocking Saas services that OVH and Hetzner are sources of spam. We now have documentation from Cloudflare indicating that cloud hosting services from OVH and Hetzner are behind the DDOS attacks.

Cloudflare identified the attacks as originating from a botnet on these cloud hosts. This may therefore mean that various servers have been compromised.


Read Cloudflare’s DDOS attack report

Cloudflare blocks a 15 million rps HTTPS DDoS attack


Comments are closed.